Search in sources :

Example 6 with DefaultAuthenticationHandlerExecutionResult

use of org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult in project cas by apereo.

the class X509CredentialsAuthenticationHandlerTests method getTestParameters.

/**
 * Gets the unit test parameters.
 *
 * @return Test parameter data.
 */
@Parameters
public static Collection<Object[]> getTestParameters() {
    final Collection<Object[]> params = new ArrayList<>();
    X509CredentialsAuthenticationHandler handler;
    X509CertificateCredential credential;
    // Test case #1: Unsupported credential type
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
    params.add(new Object[] { handler, new UsernamePasswordCredential(), false, null });
    // Test case #2:Valid certificate
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
    credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
    params.add(new Object[] { handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
    // Test case #3: Expired certificate
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"));
    params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("user-expired.crt")), true, new CertificateExpiredException() });
    // Test case #4: Untrusted issuer
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern("CN=\\w+,OU=CAS,O=Jasig,L=Westminster,ST=Colorado,C=US"), true, false, false);
    params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("snake-oil.crt")), true, new FailedLoginException() });
    // Test case #5: Disallowed subject
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), true, RegexUtils.createPattern("CN=\\w+,OU=CAS,O=Jasig,L=Westminster,ST=Colorado,C=US"));
    params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("snake-oil.crt")), true, new FailedLoginException() });
    // Test case #6: Check key usage on a cert without keyUsage extension
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, false);
    credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
    params.add(new Object[] { handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
    // Test case #7: Require key usage on a cert without keyUsage extension
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
    params.add(new Object[] { handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, new FailedLoginException() });
    // Test case #8: Require key usage on a cert with acceptable keyUsage extension values
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
    credential = new X509CertificateCredential(createCertificates("user-valid-keyUsage.crt"));
    params.add(new Object[] { handler, credential, true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
    // Test case #9: Require key usage on a cert with unacceptable keyUsage extension values
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), false, true, true);
    params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("user-invalid-keyUsage.crt")), true, new FailedLoginException() });
    // ===================================
    // Revocation tests
    // ===================================
    ResourceCRLRevocationChecker checker;
    // Test case #10: Valid certificate with CRL checking
    checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-valid.crl"));
    checker.init();
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
    credential = new X509CertificateCredential(createCertificates(USER_VALID_CRT));
    params.add(new Object[] { handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, new DefaultAuthenticationHandlerExecutionResult(handler, credential, new DefaultPrincipalFactory().createPrincipal(credential.getId())) });
    // Test case #11: Revoked end user certificate
    checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-valid.crl"));
    checker.init();
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
    params.add(new Object[] { handler, new X509CertificateCredential(createCertificates("user-revoked.crt")), true, new RevokedCertificateException(ZonedDateTime.now(ZoneOffset.UTC), null) });
    // Test case #12: Valid certificate on expired CRL data
    final ThresholdExpiredCRLRevocationPolicy zeroThresholdPolicy = new ThresholdExpiredCRLRevocationPolicy(0);
    checker = new ResourceCRLRevocationChecker(new ClassPathResource("userCA-expired.crl"), null, zeroThresholdPolicy);
    checker.init();
    handler = new X509CredentialsAuthenticationHandler(RegexUtils.createPattern(".*"), checker);
    params.add(new Object[] { handler, new X509CertificateCredential(createCertificates(USER_VALID_CRT)), true, new ExpiredCRLException(null, ZonedDateTime.now(ZoneOffset.UTC)) });
    return params;
}
Also used : RevokedCertificateException(org.apereo.cas.adaptors.x509.authentication.revocation.RevokedCertificateException) CertificateExpiredException(java.security.cert.CertificateExpiredException) ArrayList(java.util.ArrayList) DefaultPrincipalFactory(org.apereo.cas.authentication.principal.DefaultPrincipalFactory) DefaultAuthenticationHandlerExecutionResult(org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult) ClassPathResource(org.springframework.core.io.ClassPathResource) ThresholdExpiredCRLRevocationPolicy(org.apereo.cas.adaptors.x509.authentication.revocation.policy.ThresholdExpiredCRLRevocationPolicy) ExpiredCRLException(org.apereo.cas.adaptors.x509.authentication.ExpiredCRLException) FailedLoginException(javax.security.auth.login.FailedLoginException) X509CertificateCredential(org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential) ResourceCRLRevocationChecker(org.apereo.cas.adaptors.x509.authentication.revocation.checker.ResourceCRLRevocationChecker) UsernamePasswordCredential(org.apereo.cas.authentication.UsernamePasswordCredential) Parameters(org.junit.runners.Parameterized.Parameters)

Example 7 with DefaultAuthenticationHandlerExecutionResult

use of org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult in project cas by apereo.

the class HttpBasedServiceCredentialsAuthenticationHandler method authenticate.

@Override
public AuthenticationHandlerExecutionResult authenticate(final Credential credential) throws GeneralSecurityException {
    final HttpBasedServiceCredential httpCredential = (HttpBasedServiceCredential) credential;
    if (!httpCredential.getService().getProxyPolicy().isAllowedProxyCallbackUrl(httpCredential.getCallbackUrl())) {
        LOGGER.warn("Proxy policy for service [{}] cannot authorize the requested callback url [{}].", httpCredential.getService().getServiceId(), httpCredential.getCallbackUrl());
        throw new FailedLoginException(httpCredential.getCallbackUrl() + " cannot be authorized");
    }
    LOGGER.debug("Attempting to authenticate [{}]", httpCredential);
    final URL callbackUrl = httpCredential.getCallbackUrl();
    if (!this.httpClient.isValidEndPoint(callbackUrl)) {
        throw new FailedLoginException(callbackUrl.toExternalForm() + " sent an unacceptable response status code");
    }
    return new DefaultAuthenticationHandlerExecutionResult(this, httpCredential, this.principalFactory.createPrincipal(httpCredential.getId()));
}
Also used : HttpBasedServiceCredential(org.apereo.cas.authentication.HttpBasedServiceCredential) FailedLoginException(javax.security.auth.login.FailedLoginException) DefaultAuthenticationHandlerExecutionResult(org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult) URL(java.net.URL)

Example 8 with DefaultAuthenticationHandlerExecutionResult

use of org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult in project cas by apereo.

the class SimpleTestUsernamePasswordAuthenticationHandler method authenticateUsernamePasswordInternal.

@Override
protected AuthenticationHandlerExecutionResult authenticateUsernamePasswordInternal(final UsernamePasswordCredential credential, final String originalPassword) throws GeneralSecurityException, PreventedException {
    final String username = credential.getUsername();
    final String password = credential.getPassword();
    final Exception exception = this.usernameErrorMap.get(username);
    if (exception instanceof GeneralSecurityException) {
        throw (GeneralSecurityException) exception;
    }
    if (exception instanceof PreventedException) {
        throw (PreventedException) exception;
    }
    if (exception instanceof RuntimeException) {
        throw (RuntimeException) exception;
    }
    if (exception != null) {
        LOGGER.debug("Cannot throw checked exception [{}] since it is not declared by method signature.", exception.getClass().getName(), exception);
    }
    if (StringUtils.hasText(username) && StringUtils.hasText(password) && username.equals(password)) {
        LOGGER.debug("User [{}] was successfully authenticated.", username);
        return new DefaultAuthenticationHandlerExecutionResult(this, new BasicCredentialMetaData(credential), this.principalFactory.createPrincipal(username));
    }
    LOGGER.debug("User [{}] failed authentication", username);
    throw new FailedLoginException();
}
Also used : FailedLoginException(javax.security.auth.login.FailedLoginException) GeneralSecurityException(java.security.GeneralSecurityException) PreventedException(org.apereo.cas.authentication.PreventedException) DefaultAuthenticationHandlerExecutionResult(org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult) AccountLockedException(javax.security.auth.login.AccountLockedException) AccountDisabledException(org.apereo.cas.authentication.exceptions.AccountDisabledException) CredentialExpiredException(javax.security.auth.login.CredentialExpiredException) GeneralSecurityException(java.security.GeneralSecurityException) InvalidLoginTimeException(org.apereo.cas.authentication.exceptions.InvalidLoginTimeException) FailedLoginException(javax.security.auth.login.FailedLoginException) InvalidLoginLocationException(org.apereo.cas.authentication.exceptions.InvalidLoginLocationException) PreventedException(org.apereo.cas.authentication.PreventedException) BasicCredentialMetaData(org.apereo.cas.authentication.BasicCredentialMetaData)

Example 9 with DefaultAuthenticationHandlerExecutionResult

use of org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult in project cas by apereo.

the class TestOneTimePasswordAuthenticationHandler method authenticate.

@Override
public AuthenticationHandlerExecutionResult authenticate(final Credential credential) throws GeneralSecurityException {
    final OneTimePasswordCredential otp = (OneTimePasswordCredential) credential;
    final String valueOnRecord = credentialMap.get(otp.getId());
    if (otp.getPassword().equals(valueOnRecord)) {
        return new DefaultAuthenticationHandlerExecutionResult(this, new BasicCredentialMetaData(otp), new DefaultPrincipalFactory().createPrincipal(otp.getId()));
    }
    throw new FailedLoginException();
}
Also used : FailedLoginException(javax.security.auth.login.FailedLoginException) DefaultPrincipalFactory(org.apereo.cas.authentication.principal.DefaultPrincipalFactory) OneTimePasswordCredential(org.apereo.cas.authentication.OneTimePasswordCredential) DefaultAuthenticationHandlerExecutionResult(org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult) BasicCredentialMetaData(org.apereo.cas.authentication.BasicCredentialMetaData)

Example 10 with DefaultAuthenticationHandlerExecutionResult

use of org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult in project cas by apereo.

the class CentralAuthenticationServiceImplWithMockitoTests method prepareNewCAS.

@Before
public void prepareNewCAS() {
    this.authentication = mock(Authentication.class);
    when(this.authentication.getAuthenticationDate()).thenReturn(ZonedDateTime.now(ZoneOffset.UTC));
    final CredentialMetaData metadata = new BasicCredentialMetaData(RegisteredServiceTestUtils.getCredentialsWithSameUsernameAndPassword("principal"));
    final Map<String, AuthenticationHandlerExecutionResult> successes = new HashMap<>();
    successes.put("handler1", new DefaultAuthenticationHandlerExecutionResult(mock(AuthenticationHandler.class), metadata));
    when(this.authentication.getCredentials()).thenReturn(Arrays.asList(metadata));
    when(this.authentication.getSuccesses()).thenReturn(successes);
    when(this.authentication.getPrincipal()).thenReturn(new DefaultPrincipalFactory().createPrincipal(PRINCIPAL));
    final Service service1 = getService(SVC1_ID);
    final ServiceTicket stMock = createMockServiceTicket(ST_ID, service1);
    final TicketGrantingTicket tgtRootMock = createRootTicketGrantingTicket();
    final TicketGrantingTicket tgtMock = createMockTicketGrantingTicket(TGT_ID, stMock, false, tgtRootMock, new ArrayList<>());
    when(tgtMock.getProxiedBy()).thenReturn(getService("proxiedBy"));
    final List<Authentication> authnListMock = mock(List.class);
    // Size is required to be 2, so that we can simulate proxying capabilities
    when(authnListMock.size()).thenReturn(2);
    when(authnListMock.toArray()).thenReturn(new Object[] { this.authentication, this.authentication });
    when(authnListMock.get(anyInt())).thenReturn(this.authentication);
    when(tgtMock.getChainedAuthentications()).thenReturn(authnListMock);
    when(stMock.getTicketGrantingTicket()).thenReturn(tgtMock);
    final Service service2 = getService(SVC2_ID);
    final ServiceTicket stMock2 = createMockServiceTicket(ST2_ID, service2);
    final TicketGrantingTicket tgtMock2 = createMockTicketGrantingTicket(TGT2_ID, stMock2, false, tgtRootMock, authnListMock);
    mockTicketRegistry(stMock, tgtMock, stMock2, tgtMock2);
    final ServicesManager smMock = getServicesManager(service1, service2);
    final TicketFactory factory = getTicketFactory();
    final AuthenticationServiceSelectionPlan authenticationRequestServiceSelectionStrategies = new DefaultAuthenticationServiceSelectionPlan(new DefaultAuthenticationServiceSelectionStrategy());
    final AuditableExecution enforcer = mock(AuditableExecution.class);
    when(enforcer.execute(any())).thenReturn(new AuditableExecutionResult());
    this.cas = new DefaultCentralAuthenticationService(mock(ApplicationEventPublisher.class), ticketRegMock, smMock, mock(LogoutManager.class), factory, authenticationRequestServiceSelectionStrategies, new AcceptAnyAuthenticationPolicyFactory(), new DefaultPrincipalFactory(), null, enforcer);
    this.cas.setApplicationEventPublisher(mock(ApplicationEventPublisher.class));
}
Also used : AcceptAnyAuthenticationPolicyFactory(org.apereo.cas.authentication.policy.AcceptAnyAuthenticationPolicyFactory) DefaultAuthenticationServiceSelectionStrategy(org.apereo.cas.authentication.DefaultAuthenticationServiceSelectionStrategy) HashMap(java.util.HashMap) TicketGrantingTicket(org.apereo.cas.ticket.TicketGrantingTicket) RegisteredService(org.apereo.cas.services.RegisteredService) Service(org.apereo.cas.authentication.principal.Service) DefaultPrincipalFactory(org.apereo.cas.authentication.principal.DefaultPrincipalFactory) ServiceTicket(org.apereo.cas.ticket.ServiceTicket) AuthenticationServiceSelectionPlan(org.apereo.cas.authentication.AuthenticationServiceSelectionPlan) DefaultAuthenticationServiceSelectionPlan(org.apereo.cas.authentication.DefaultAuthenticationServiceSelectionPlan) DefaultAuthenticationServiceSelectionPlan(org.apereo.cas.authentication.DefaultAuthenticationServiceSelectionPlan) DefaultAuthenticationHandlerExecutionResult(org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult) AuditableExecution(org.apereo.cas.audit.AuditableExecution) ServicesManager(org.apereo.cas.services.ServicesManager) DefaultTicketFactory(org.apereo.cas.ticket.factory.DefaultTicketFactory) TicketFactory(org.apereo.cas.ticket.TicketFactory) DefaultProxyGrantingTicketFactory(org.apereo.cas.ticket.factory.DefaultProxyGrantingTicketFactory) DefaultProxyTicketFactory(org.apereo.cas.ticket.factory.DefaultProxyTicketFactory) DefaultTransientSessionTicketFactory(org.apereo.cas.ticket.factory.DefaultTransientSessionTicketFactory) DefaultServiceTicketFactory(org.apereo.cas.ticket.factory.DefaultServiceTicketFactory) DefaultTicketGrantingTicketFactory(org.apereo.cas.ticket.factory.DefaultTicketGrantingTicketFactory) Authentication(org.apereo.cas.authentication.Authentication) ApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher) DefaultAuthenticationHandlerExecutionResult(org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult) AuthenticationHandlerExecutionResult(org.apereo.cas.authentication.AuthenticationHandlerExecutionResult) CredentialMetaData(org.apereo.cas.authentication.CredentialMetaData) BasicCredentialMetaData(org.apereo.cas.authentication.BasicCredentialMetaData) AuditableExecutionResult(org.apereo.cas.audit.AuditableExecutionResult) BasicCredentialMetaData(org.apereo.cas.authentication.BasicCredentialMetaData) Before(org.junit.Before)

Aggregations

DefaultAuthenticationHandlerExecutionResult (org.apereo.cas.authentication.DefaultAuthenticationHandlerExecutionResult)16 BasicCredentialMetaData (org.apereo.cas.authentication.BasicCredentialMetaData)12 FailedLoginException (javax.security.auth.login.FailedLoginException)8 CredentialMetaData (org.apereo.cas.authentication.CredentialMetaData)6 AuthenticationHandlerExecutionResult (org.apereo.cas.authentication.AuthenticationHandlerExecutionResult)4 DefaultAuthenticationBuilder (org.apereo.cas.authentication.DefaultAuthenticationBuilder)4 UsernamePasswordCredential (org.apereo.cas.authentication.UsernamePasswordCredential)4 DefaultPrincipalFactory (org.apereo.cas.authentication.principal.DefaultPrincipalFactory)4 AuthenticationBuilder (org.apereo.cas.authentication.AuthenticationBuilder)3 BasicIdentifiableCredential (org.apereo.cas.authentication.BasicIdentifiableCredential)3 TicketGrantingTicket (org.apereo.cas.ticket.TicketGrantingTicket)3 GeneralSecurityException (java.security.GeneralSecurityException)2 HashMap (java.util.HashMap)2 X509CertificateCredential (org.apereo.cas.adaptors.x509.authentication.principal.X509CertificateCredential)2 AuthenticationHandler (org.apereo.cas.authentication.AuthenticationHandler)2 SimpleTestUsernamePasswordAuthenticationHandler (org.apereo.cas.authentication.handler.support.SimpleTestUsernamePasswordAuthenticationHandler)2 Principal (org.apereo.cas.authentication.principal.Principal)2 SpnegoCredential (org.apereo.cas.support.spnego.authentication.principal.SpnegoCredential)2 ServiceTicket (org.apereo.cas.ticket.ServiceTicket)2 URL (java.net.URL)1